OpenShift GitOps Argo CD ClusterRole Reconciliation Ownership Bypass (DoS)
CVE-2026-14251 Published on July 15, 2026

Gitops-operator: gitops-operator: missing allowednamespace check in reconcilerhook for clusterrole/role cases enables potential privilege escalation and dos
A flaw was found in the OpenShift GitOps operator. The ClusterRole reconciler does not validate resource ownership when reconciling ClusterRole objects. A namespace-scoped Argo CD instance can trigger deletion of a ClusterRole owned by a cluster-scoped Argo CD instance by crafting a name collision, resulting in a denial of service.

NVD

Vulnerability Analysis

CVE-2026-14251 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Timeline

Reported to Red Hat.

Made public. 53 days later.

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2026-14251 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2026-14251

Want to know whenever a new CVE is published for Red Hat Openshift Gitops? stack.watch will email you.

 

Affected Versions

Red Hat OpenShift GitOps: Red Hat OpenShift GitOps: